[BreachExchange] During a Pen-Test University Of Kentucky Unveiled A Data Breach

Mon Aug 9 11:48:23 EDT 2021

https://www.ehackingnews.com/2021/08/during-pen-test-university-of-kentucky.html

Cyberspace witnessed a rapid surge in cyberattacks as hackers continue to
steal millions of documents at an alarming rate. A thorough penetration
test is important to counter their attempts throughout the year.

Likewise, The University of Kentucky did an annual cybersecurity assessment
revealing a website flaw that enables an unauthorized person to probably
purchase a copy of their College of Education database. There was no
financial, health, or social security data leaked in the database, which
restricted identity fraud potential.

The material stolen mainly contained emails and passwords as per the letter
of violation issued by the university. There have been no SSNs or financial
details leaked in it.

Penetration tests are intended to evaluate the safety, the testing tools
imitate actual attack scenarios that detect and expose security holes that
can result in stolen records, impaired credentials, intellectual property,
PII, cardholder data, personal, protected health, data ransom, or other
detrimental business results.

Although in the last five years the UK has enhanced cybersecurity, and the
issue has been spotted, the UK will now implement extra security measures.
The database for the training and the testing of K-12 schools in Kentucky
and other states is part of the free resource scheme known as a Digital
Driver's License.

The information in the breach included the names, e-mail addresses, and
addresses of Kentucky teachers and students and more than 355,000
individuals in every 50 states and 22 other nations. UK authorities have
alerted and notified the relevant regulatory bodies and the affected school
districts. This breach had an impact on the university's Digital Driver’s
License platform, an internet portal that was established by the university
in the early 2000s in the course of an Open Source Tools for Instructional
Support program (OTIS).

“The University of Kentucky has spent more than $13 million on
cybersecurity in last five years alone,” said Brian Nichols, UK’s chief
information officer. “We have increased cybersecurity investments and
enhanced our mitigation efforts in recent years, which enabled us to
discover this incident during our annual inspection process conducted by an
outside entity. Although the potential for identity theft is limited, we
take this incident seriously and it is unacceptable to us. As a result, we
will be taking additional measures to provide even more protection going
forward. UK's chief concern is end-user privacy and protection and we are
making every effort to secure end-user data.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210809/0b9c869e/attachment.html>